Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Select process

Does anyone have a document on how Cisco ASA select VPN tunnels.

i.e. looks at routing table to choose the interface then looks at crypto maps etc.

Cisco Employee

Re: VPN Select process

It checks the crypto ACL, and match that from top to bottom of your crypto map sequence. Hence, it is required to configure crypto ACL as specific as possible (normally subnet to subnet).

New Member

Re: VPN Select process

Does it look at the routing table before it checks the cryptomap?

Cisco Employee

Re: VPN Select process

Sorry to ask, but are you actually terminating the VPN on multiple interfaces hence the question on routing?

Can you please explain what you are trying to achieve that lead to your question on whether routing or crypto map first?

Cisco Employee

Re: VPN Select process


The device would first see in its routing table  how can it reach the destination. If there is no route configured on the  asa or router to reach the destination, it would take the default  route..

Now if the egress interface (outgoing  interface) for this traffic is the same as the one on which the crypto  MAP is applied then each and every instance of the map would be checked.  If there is a match then the traffic would encapsulated and sent to  that peer thru the tunnel.

so long story short... first a route lookup would be  done and then crypto map would be checked, if there is a crypto map  applied to the egress interface

Hope this answers ur question



CreatePlease to create content